{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VpcPermission",
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateDhcpOptions",
                "ec2:AssociateRouteTable",
                "ec2:AssociateSubnetCidrBlock",
                "ec2:AssociateVpcCidrBlock",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:CreateDhcpOptions",
                "ec2:CreateInternetGateway",
                "ec2:CreateNatGateway",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateVpc",
                "ec2:DeleteDhcpOptions",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteNatGateway",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc",
                "ec2:DescribeAddresses",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeNatGateways",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:DisassociateSubnetCidrBlock",
                "ec2:DisassociateVpcCidrBlock",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:ReleaseAddress",
                "ec2:createTags",
                "ec2:DeleteTags",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeAccountAttributes"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:CalledVia": [
                        "cloudformation.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "IamCreateRolePolicyPermission",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::<aws_account_id>:role/EMRStudio_Service_Role",
                "arn:aws:iam::<aws_account_id>:role/EMRStudio_User_Role",
                "arn:aws:iam::<aws_account_id>:role/ClusterTemplateLaunchRole",
                "arn:aws:iam::<aws_account_id>:policy/EMRStudio_Basic_User_Policy",
                "arn:aws:iam::<aws_account_id>:policy/EMRStudio_Intermediate_User_Policy",
                "arn:aws:iam::<aws_account_id>:policy/EMRStudio_Advanced_User_Policy",
                "arn:aws:iam::<aws_account_id>:policy/EMRStudioServiceRolePolicy",
                "arn:aws:iam::<aws_account_id>:policy/ClusterTemplateLaunchConstraintPolicy"
            ],
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DetachRolePolicy",
                "iam:GetPolicy",
                "iam:GetRole",
                "iam:ListPolicyVersions"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:CalledVia": [
                        "cloudformation.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "CloudformationPermission",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:cloudformation:<region>:<aws_account_id>:stack/emr-studio-dependencies/*"
            ],
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DeleteStack"
            ]
        },
        {
            "Sid": "StudioStorageS3BucketPermission",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::emr-studio-dependencies-emrstudiostoragebucket*"
            ],
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:CalledVia": [
                        "cloudformation.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "ServiceCatalogCreatePortfolioProductsPermission",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:servicecatalog:<region>:<aws_account_id>:*",
                "arn:aws:servicecatalog:<region>:<aws_account_id>:*/*",
                "arn:aws:catalog:<region>:<aws_account_id>:portfolio/*",
                "arn:aws:catalog:<region>:<aws_account_id>:product/*"
            ],
            "Action": [
                "servicecatalog:CreatePortfolio",
                "servicecatalog:UpdatePortfolio",
                "servicecatalog:CreateProduct",
                "servicecatalog:UpdateProduct",
                "servicecatalog:DescribeProduct",
                "servicecatalog:DescribeProductAsAdmin",
                "servicecatalog:AssociatePrincipalWithPortfolio",
                "servicecatalog:DisassociatePrincipalFromPortfolio",
                "servicecatalog:AssociateProductWithPortfolio",
                "servicecatalog:DisassociateProductFromPortfolio",
                "servicecatalog:CreateConstraint",
                "servicecatalog:DescribeConstraint",
                "servicecatalog:DeleteConstraint",
                "servicecatalog:CreateProvisioningArtifact",
                "servicecatalog:DescribeProvisioningArtifact",
                "servicecatalog:DeleteProduct",
                "servicecatalog:DeletePortfolio"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:CalledVia": [
                        "cloudformation.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "ServiceCatalogProductPassLaunchConstraintPermission",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::<aws_account_id>:role/ClusterTemplateLaunchRole",
            "Action": [
                "iam:PassRole"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "servicecatalog.amazonaws.com"
                }
            }
        },
        {
            "Sid": "AdditionalCloudformationPermissionForServiceCatalogCloudformationProduct",
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "cloudformation:ValidateTemplate"
            ]
        }
    ]
}